What is a Privacy Breach?
Breaches of privacy are defined as when an organisation or individual provides unauthorised or accidental access or discloses, alters, loses/destroys someone’s personal information.
Reporting serious breaches of privacy became a legal requirement in December 2020. In the 11 months following the announcement, there has been an increase of almost 300 percent reporting compared to the same timeframe the previous year.
The leading cause of privacy breaches in New Zealand is human error.
Causes of Privacy Breaches
There are five causes of breach categories. These are Human error, Malicious attack, Theft, System Error, and Other. The leading cause of privacy breaches has been human error (61 percent).
According to a report published by the Office of the Privacy Commissioner (OPC), “the most common type of human error causing privacy breaches is email error” which accounts for over a quarter of the breaches.
Email error is preventable with good systems in place and training around company processes. “Other types of human error include accidental disclosure of sensitive personal information, data entry errors, confidently breaches, redaction errors, postal and courier errors” states the OPC’s report.
Privacy Breaches Resulting in Serious Harm
While only breaches that have or have the potential to cause serious harm need to be reported, the OPC recommends erring on the side of caution and if in doubt, report your privacy breach. A third of all privacy breaches reported in the 11 months since the mandating have met the threshold of serious harm.
There are ten types of harm recognised by the OPC. 35 percent of serious breaches reported between December 2020 and October 2021 involved emotional harm – the most common.
Beaches in privacy can be seen across all sectors, from private to non-profit, and in a wide range of industries as well. Most organisations in New Zealand are holding kiwis’ personal information in some form. It is their responsibility to ensure it is kept secure at all times.
Privacy Breach Notification Timeframe
Privacy Commissioner John Edwards has emphasised that timely privacy breach notification is a mandatory obligation. “In June this year, we set out our expectations around the timeliness of privacy breach notification clear. A notifiable breach should be reported to us no later than 72 hours after an agency has become aware of it.”
Even with this expectation in place less than half of all serious breach notifications are being made within the 72-hour timeframe. The OPC has created a tool that allows you to report privacy breaches. The NotifyUs tool on their website allows you to notify their office of any breaches and then update the notification as more information becomes available.
This enables breaches to be brought forward as soon as you are aware of them, giving the OPC more time to support you in reducing potential harm to affected individuals.
The NotifyUs tool also offers a “Privacy breach self-assessment” tool. The tool is completely anonymous and aims to guide you in deciding if the breach meets the threshold for being reported or not.
Failure to report a serious privacy breach is a criminal offense that may result in a fine of up to $10,000.